[GitHub] [apisix-helm-chart] abalage opened a new issue, #396: ingress-controller logs admin token in plaint text

Thu, 17 Nov 2022 03:09:30 -0800 


abalage opened a new issue, #396:
URL: https://github.com/apache/apisix-helm-chart/issues/396

   Hi,
   
   I have changed the default admin key in apisix and apisix-ingress-controller 
according to the 
[FAQ](https://github.com/apache/apisix-ingress-controller/blob/master/docs/en/latest/FAQ.md#how-do-i-modify-the-admin-api-key-in-apisix-ingress).
   Checking the logs of the ingress controller it logs the new admin token in 
plain text.
   As container logs are usually collected and shipped to 3rd party systems 
this effect leaks sensitive data.
   
   Snippet generated by `helm template` on release 0.11.2.
   ```
   apiVersion: v1
   data:
     config.yaml: |
       # log options
       log_level: "info"
       log_output: "stderr"
       cert_file: "/etc/webhook/certs/cert.pem"
       key_file: "/etc/webhook/certs/key.pem"
       http_listen: ":8080"
       https_listen: ":8443"
       ingress_publish_service:
       enable_profiling: false
       apisix-resource-sync-interval: 300s
       kubernetes:
         kubeconfig: ""
         resync_interval: "6h"
         app_namespaces:
         - "cddmp"
         namespace_selector:
         - ""
         election_id: "ingress-apisix-leader"
         ingress_class: "apisix"
         ingress_version: "networking/v1"
         watch_endpointslices: false
         apisix_route_version: "apisix.apache.org/v2"
         enable_gateway_api: false
       apisix:
   
         default_cluster_base_url: 
http://apisix-admin.foobar.svc.cluster.local:9180/apisix/admin
   
         default_cluster_admin_key: "newsecrettoken"
         default_cluster_name: "default"
   kind: ConfigMap
   metadata:
     name: apisix-configmap
     namespace: cddmp
     labels:
       helm.sh/chart: ingress-controller-0.10.1
       app.kubernetes.io/name: ingress-controller
       app.kubernetes.io/instance: apisix
       app.kubernetes.io/version: "1.5.0"
       app.kubernetes.io/managed-by: Helm
   
   ```
   
   Snippet from the very beginning of log file.
   ```
   2022-11-17T18:43:52+08:00    info   ingress/ingress.go:113  apisix 
ingress controller started
   2022-11-17T18:43:52+08:00    info   ingress/ingress.go:115  version:
   Version: 1.5.0
   Git SHA: no-git-module
   Go Version: go1.19.2
   Building OS/Arch: linux/amd64
   Running OS/Arch: linux/amd64
   
   2022-11-17T18:43:52+08:00    info   ingress/ingress.go:121  use 
configuration
   {
        "cert_file": "/etc/webhook/certs/cert.pem",
        "key_file": "/etc/webhook/certs/key.pem",
        "log_level": "info",
        "log_output": "stderr",
        "http_listen": ":8080",
        "https_listen": ":8443",
        "ingress_publish_service": "",
        "ingress_status_address": [],
        "enable_profiling": false,
        "kubernetes": {
                "kubeconfig": "",
                "resync_interval": "6h0m0s",
                "app_namespaces": [
                        "cddmp"
                ],
                "namespace_selector": [],
                "election_id": "ingress-apisix-leader",
                "ingress_class": "apisix",
                "ingress_version": "networking/v1",
                "watch_endpoint_slices": false,
                "apisix_route_version": "apisix.apache.org/v2",
                "api_version": "apisix.apache.org/v2",
                "enable_gateway_api": false
        },
        "apisix": {
                "default_cluster_name": "default",
                "default_cluster_base_url": 
"http://apisix-admin.foobar.svc.cluster.local:9180/apisix/admin";,
                "default_cluster_admin_key": "newsecrettoken"
        },
        "apisix-resource-sync-interval": "5m0s"
   }
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to